Software Defined Wide Area Networking (SD-WAN) is a trending feature in enterprise networking today. In this new generation of WAN technology, SD-WAN enables connections across networks such as broadband internet and cellular technologies (4G, LTE, etc.). SD-WAN utilizes the internet or cloud-native private network, decouples the network from the management plane and detaches the traffic management and monitoring functions from hardware. There are several basic components to an SD-WAN context. SD-WAN utilizes edge connectivity abstraction, WAN virtualization, policy-driven, centralized management and elastic traffic management. SD-WAN networks are becoming more prominent and one feature of these types of networks is that they can be used to craft paths for data from a client to a (web) service. The paths that are created can ensure that the data path passes through proper networks and is secure.
To establish secure communication channels today and to get access to resources managed by (cloud) services, (web) credentials are carried in web-cookies or OAuth tokens (generally, web credentials) and act as cryptographic capabilities for those resources. A (web) application first obtains (web) credentials from a single-sign-on (SSO) service's identity provider or other authentication provider, (possibly with multi-factor authentication), and the applications provide these (web) credentials as proof of identity to get access to the resource managed by the (web) service. Such credential exists in various forms and protocols (e.g., HTTP, OAuth, etc.) but invariably involves service redirections to a single-sign-on, OAuth or other authentication service to capture the credentials and include these in the application service session. The (web) credentials themselves minimally contain the identity of the caller, access rights, and if included, security assertion, e.g., possibly coded through Security Assertion Markup Language (SAML).
There are problems with the authentication service approach, specifically for enterprise networking. The current approach (a) relies only on end-to-end authentication and encryption to protect traffic on the public internet and (b) assumes an encrypted channel is secure while information can still be gleaned from it. The problem with (a) is that security officers in enterprises or regulatory requirements are likely to demand segregation of enterprise traffic regardless of the end-to-end encrypted channel. With regard to (b), when one relies on carrying individual flows, information can be gleaned from individuals even when these are encrypted, for instance by timing messaging, correlating packet sizes to known flows, and knowing both source and destination addresses of flows. To create a better secured channel, aggregation of flows is needed to obfuscate timing and individual packet sizes and to hide the destination IP addresses.